I want to call out to Google to authenticate my users.
This parts works fine via adding an Identity Provider.
What I would like to do now is add the user to a group or add a role to that user based on the user groups that they are part of in Google.
I’m sure this should be achievable, but I can’t find the documentation to guide me.
Mappers are your friend.
In the data Keycloak gets from Google (most likely a token, with username, email, etc…) the roles and groups should be contained (if not, see how you add them on the Google side). Then, you can map the data from the Google-token to the Keycloak model and use claim-to-group mappers and similar.
Can you point me in the direction of documentation please.
Is this a mapper on the Identity Provider or on the Client?
Does this require release 17? I did see a PR in this area: KEYCLOAK-19283 Implemented new "Advanced claim to group" idp mapper by artur-baltabayev · Pull Request #8467 · keycloak/keycloak · GitHub
It’s a mapper of the IdP, has nothing to do with the client.
I don’t know this advanced mapper, I do group mapping with an Azure AD IdP with regular claim-to-group mapper since a few versions already, so, no need to use KC17, although you always should use the most recent version.
I’ve spent another day on this and am no further forward.
I am coming to the conclusion that I am misunderstanding what KeyCloak does.
I can create an Identity provider…
But no where do I find any config allow me to get the groups back from Google, even if I pass over the Scope mentioned in their docs: https://developers.google.com/identity/protocols/oauth2/scopes
All I get back is…
{
"sub":"1111111111111",
"name":"Jeff Porter",
"given_name":"Jeff",
"family_name":"Porter",
"profile":"https://plus.google.com/1111111111",
"picture":"https://lh3.googleusercontent.com/a/111111111-c",
"email":"jporter@xxx.com",
"email_verified":true,
"locale":"en-GB",
"hd":"xxxx.com"
}
If I did manage to get back the groups info, then I get stuck again, since I can find no way to add a User into a KeyCloak group or add a role based on anything in the token.
Is my only choice to use a SPI to call out to Google, get the Groups, and then have the SPI add the user to a group/role based on that response?
Is this my only option? Has this been done before?
did you find any way to do that ?
I am also facing the same issue. I don’t find how to map google roles to keycloak. I am surprised that it is such a basic thing and there is no documentation for it
Here are some information that can get you going.
Basically in Keycloak - for the Google Identity Provider – create a mapper to inject the Google Groups – you can map it to whatever you wish in Keycloak. NB: this is subject to Google actually release group information.